Amihai Neiderman, head of research at Israel-based Equus Technologies, discovered 40 not yet publicly disclosed vulnerabilities that could allow a remote hack of Samsung gear running its Tizen operating system: smart TVs, Gear smartwatches, and smartphones. Samsung plans to use Tizen on its washing machines and refrigerators, too. One particularly critical vulnerability called a heap-overflow vulnerability involves Samsung’s TizenStore app: Neiderman was able to hijack the app and deliver malicious code to his Samsung TV. All Tizen OS-based devices connect to the TizenStore to receive apps and app updates; a vulnerability there could mean malicious code can be easily sent to millions of devices running the Tizen operating system.
Neiderman contacted Samsung months ago regarding the vulnerabilities but received only an automated email response. Now, after publication of Neiderman’s foundings, Samsung has responded that the company will be working with the researcher to patch vulnerabilities.
Fixing Tizen will most likely take some time, so while we are waiting let’s make sure to cut internet connectivity on any Tizen-based gear we might have, just to be safe: Samsung’s TVs (4K SUHD TV, 4K UHD TV, LED TV), smartphones (Z1, Z2, Z3), wearables (Gear S, Gear 2, Gear 2 NEO, Gear S2, Gear S3), etc. TVs can easily be viewed without a direct internet connection since there are many devices such as Apple TV, ChromeCast, Roku, etc., and Gear watches can be used simply as a watch, but Tizen smartphones will realistically become useless, unless Samsung works quickly to patch all of Tizen’s vulnerabilities.